16 C.F.R. PART 312—CHILDREN'S ONLINE PRIVACY PROTECTION RULE
Title 16 - Commercial Practices
Authority: 15 U.S.C. 6501–6508.
Source: 64 FR 59911, Nov. 3, 1999, unless otherwise noted.
This part implements the Children's Online Privacy Protection Act of 1998, (15 U.S.C. 6501, et seq.,) which prohibits unfair or deceptive acts or practices in connection with the collection, use, and/or disclosure of personal information from and about children on the Internet. The effective date of this part is April 21, 2000. Child means an individual under the age of 13. Collects or collection means the gathering of any personal information from a child by any means, including but not limited to: (a) Requesting that children submit personal information online; (b) Enabling children to make personal information publicly available through a chat room, message board, or other means, except where the operator deletes all individually identifiable information from postings by children before they are made public, and also deletes such information from the operator's records; or (c) The passive tracking or use of any identifying code linked to an individual, such as a cookie. Commission means the Federal Trade Commission. Delete means to remove personal information such that it is not maintained in retrievable form and cannot be retrieved in the normal course of business. Disclosure means, with respect to personal information: (a) The release of personal information collected from a child in identifiable form by an operator for any purpose, except where an operator provides such information to a person who provides support for the internal operations of the website or online service and who does not disclose or use that information for any other purpose. For purposes of this definition: (1) Release of personal information means the sharing, selling, renting, or any other means of providing personal information to any third party, and (2) Support for the internal operations of the website or online service means those activities necessary to maintain the technical functioning of the website or online service, or to fulfill a request of a child as permitted by §312.5(c)(2) and (3); or (b) Making personal information collected from a child by an operator publicly available in identifiable form, by any means, including by a public posting through the Internet, or through a personal home page posted on a website or online service; a pen pal service; an electronic mail service; a message board; or a chat room. Federal agency means an agency, as that term is defined in Section 551(1) of title 5, United States Code. Internet means collectively the myriad of computer and telecommunications facilities, including equipment and operating software, which comprise the interconnected world-wide network of networks that employ the Transmission Control Protocol/Internet Protocol, or any predecessor or successor protocols to such protocol, to communicate information of all kinds by wire, radio, or other methods of transmission. Online contact information means an e-mail address or any other substantially similar identifier that permits direct contact with a person online. Operator means any person who operates a website located on the Internet or an online service and who collects or maintains personal information from or about the users of or visitors to such website or online service, or on whose behalf such information is collected or maintained, where such website or online service is operated for commercial purposes, including any person offering products or services for sale through that website or online service, involving commerce: (a) Among the several States or with 1 or more foreign nations; (b) In any territory of the United States or in the District of Columbia, or between any such territory and (1) Another such territory, or (2) Any State or foreign nation; or (c) Between the District of Columbia and any State, territory, or foreign nation. This definition does not include any nonprofit entity that would otherwise be exempt from coverage under Section 5 of the Federal Trade Commission Act (15 U.S.C. 45). Parent includes a legal guardian. Person means any individual, partnership, corporation, trust, estate, cooperative, association, or other entity. Personal information means individually identifiable information about an individual collected online, including: (a) A first and last name; (b) A home or other physical address including street name and name of a city or town; (c) An e-mail address or other online contact information, including but not limited to an instant messaging user identifier, or a screen name that reveals an individual's e-mail address; (d) A telephone number; (e) A Social Security number; (f) A persistent identifier, such as a customer number held in a cookie or a processor serial number, where such identifier is associated with individually identifiable information; or a combination of a last name or photograph of the individual with other information such that the combination permits physical or online contacting; or (g) Information concerning the child or the parents of that child that the operator collects online from the child and combines with an identifier described in this definition. Third party means any person who is not: (a) An operator with respect to the collection or maintenance of personal information on the website or online service; or (b) A person who provides support for the internal operations of the website or online service and who does not use or disclose information protected under this part for any other purpose. Obtaining verifiable consent means making any reasonable effort (taking into consideration available technology) to ensure that before personal information is collected from a child, a parent of the child: (a) Receives notice of the operator's personal information collection, use, and disclosure practices; and (b) Authorizes any collection, use, and/or disclosure of the personal information. Website or online service directed to children means a commercial website or online service, or portion thereof, that is targeted to children. Provided, however, that a commercial website or online service, or a portion thereof, shall not be deemed directed to children solely because it refers or links to a commercial website or online service directed to children by using information location tools, including a directory, index, reference, pointer, or hypertext link. In determining whether a commercial website or online service, or a portion thereof, is targeted to children, the Commission will consider its subject matter, visual or audio content, age of models, language or other characteristics of the website or online service, as well as whether advertising promoting or appearing on the website or online service is directed to children. The Commission will also consider competent and reliable empirical evidence regarding audience composition; evidence regarding the intended audience; and whether a site uses animated characters and/or child-oriented activities and incentives. General requirements. It shall be unlawful for any operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting or maintaining personal information from a child, to collect personal information from a child in a manner that violates the regulations prescribed under this part. Generally, under this part, an operator must: (a) Provide notice on the website or online service of what information it collects from children, how it uses such information, and its disclosure practices for such information (§312.4(b)); (b) Obtain verifiable parental consent prior to any collection, use, and/or disclosure of personal information from children (§312.5); (c) Provide a reasonable means for a parent to review the personal information collected from a child and to refuse to permit its further use or maintenance (§312.6); (d) Not condition a child's participation in a game, the offering of a prize, or another activity on the child disclosing more personal information than is reasonably necessary to participate in such activity (§312.7); and (e) Establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children (§312.8). (a) General principles of notice. All notices under §§312.3(a) and 312.5 must be clearly and understandably written, be complete, and must contain no unrelated, confusing, or contradictory materials. (b) Notice on the website or online service. Under §312.3(a), an operator of a website or online service directed to children must post a link to a notice of its information practices with regard to children on the home page of its website or online service and at each area on the website or online service where personal information is collected from children. An operator of a general audience website or online service that has a separate children's area or site must post a link to a notice of its information practices with regard to children on the home page of the children's area. (1) Placement of the notice. (i) The link to the notice must be clearly labeled as a notice of the website or online service's information practices with regard to children; (ii) The link to the notice must be placed in a clear and prominent place and manner on the home page of the website or online service; and (iii) The link to the notice must be placed in a clear and prominent place and manner at each area on the website or online service where children directly provide, or are asked to provide, personal information, and in close proximity to the requests for information in each such area. (2) Content of the notice. To be complete, the notice of the website or online service's information practices must state the following: (i) The name, address, telephone number, and e-mail address of all operators collecting or maintaining personal information from children through the website or online service. Provided that: the operators of a website or online service may list the name, address, phone number, and e-mail address of one operator who will respond to all inquiries from parents concerning the operators' privacy policies and use of children's information, as long as the names of all the operators collecting or maintaining personal information from children through the website or online service are also listed in the notice; (ii) The types of personal information collected from children and whether the personal information is collected directly or passively; (iii) How such personal information is or may be used by the operator(s), including but not limited to fulfillment of a requested transaction, recordkeeping, marketing back to the child, or making it publicly available through a chat room or by other means; (iv) Whether personal information is disclosed to third parties, and if so, the types of business in which such third parties are engaged, and the general purposes for which such information is used; whether those third parties have agreed to maintain the confidentiality, security, and integrity of the personal information they obtain from the operator; and that the parent has the option to consent to the collection and use of their child's personal information without consenting to the disclosure of that information to third parties; (v) That the operator is prohibited from conditioning a child's participation in an activity on the child's disclosing more personal information than is reasonably necessary to participate in such activity; and (vi) That the parent can review and have deleted the child's personal information, and refuse to permit further collection or use of the child's information, and state the procedures for doing so. (c) Notice to a parent. Under §312.5, an operator must make reasonable efforts, taking into account available technology, to ensure that a parent of a child receives notice of the operator's practices with regard to the collection, use, and/or disclosure of the child's personal information, including notice of any material change in the collection, use, and/or disclosure practices to which the parent has previously consented. (1) Content of the notice to the parent. (i) All notices must state the following: (A) That the operator wishes to collect personal information from the child; (B) The information set forth in paragraph (b) of this section. (ii) In the case of a notice to obtain verifiable parental consent under §312.5(a), the notice must also state that the parent's consent is required for the collection, use, and/or disclosure of such information, and state the means by which the parent can provide verifiable consent to the collection of information. (iii) In the case of a notice under the exception in §312.5(c)(3), the notice must also state the following: (A) That the operator has collected the child's e-mail address or other online contact information to respond to the child's request for information and that the requested information will require more than one contact with the child; (B) That the parent may refuse to permit further contact with the child and require the deletion of the information, and how the parent can do so; and (C) That if the parent fails to respond to the notice, the operator may use the information for the purpose(s) stated in the notice. (iv) In the case of a notice under the exception in §312.5(c)(4), the notice must also state the following: (A) That the operator has collected the child's name and e-mail address or other online contact information to protect the safety of the child participating on the website or online service; (B) That the parent may refuse to permit the use of the information and require the deletion of the information, and how the parent can do so; and (C) That if the parent fails to respond to the notice, the operator may use the information for the purpose stated in the notice. (a) General requirements. (1) An operator is required to obtain verifiable parental consent before any collection, use, and/or disclosure of personal information from children, including consent to any material change in the collection, use, and/or disclosure practices to which the parent has previously consented. (2) An operator must give the parent the option to consent to the collection and use of the child's personal information without consenting to disclosure of his or her personal information to third parties. (b) Mechanisms for verifiable parental consent. (1) An operator must make reasonable efforts to obtain verifiable parental consent, taking into consideration available technology. Any method to obtain verifiable parental consent must be reasonably calculated, in light of available technology, to ensure that the person providing consent is the child's parent. (2) Methods to obtain verifiable parental consent that satisfy the requirements of this paragraph include: providing a consent form to be signed by the parent and returned to the operator by postal mail or facsimile; requiring a parent to use a credit card in connection with a transaction; having a parent call a toll-free telephone number staffed by trained personnel; using a digital certificate that uses public key technology; and using e-mail accompanied by a PIN or password obtained through one of the verification methods listed in this paragraph. Provided that: Until the Commission otherwise determines, methods to obtain verifiable parental consent for uses of information other than the “disclosures” defined by §312.2 may also include use of e-mail coupled with additional steps to provide assurances that the person providing the consent is the parent. Such additional steps include: sending a confirmatory e-mail to the parent following receipt of consent; or obtaining a postal address or telephone number from the parent and confirming the parent's consent by letter or telephone call. Operators who use such methods must provide notice that the parent can revoke any consent given in response to the earlier e-mail. (c) Exceptions to prior parental consent. Verifiable parental consent is required prior to any collection, use and/or disclosure of personal information from a child except as set forth in this paragraph. The exceptions to prior parental consent are as follows: (1) Where the operator collects the name or online contact information of a parent or child to be used for the sole purpose of obtaining parental consent or providing notice under §312.4. If the operator has not obtained parental consent after a reasonable time from the date of the information collection, the operator must delete such information from its records; (2) Where the operator collects online contact information from a child for the sole purpose of responding directly on a one-time basis to a specific request from the child, and where such information is not used to recontact the child and is deleted by the operator from its records; (3) Where the operator collects online contact information from a child to be used to respond directly more than once to a specific request from the child, and where such information is not used for any other purpose. In such cases, the operator must make reasonable efforts, taking into consideration available technology, to ensure that a parent receives notice and has the opportunity to request that the operator make no further use of the information, as described in §312.4(c), immediately after the initial response and before making any additional response to the child. Mechanisms to provide such notice include, but are not limited to, sending the notice by postal mail or sending the notice to the parent's e-mail address, but do not include asking a child to print a notice form or sending an e-mail to the child; (4) Where the operator collects a child's name and online contact information to the extent reasonably necessary to protect the safety of a child participant on the website or online service, and the operator uses reasonable efforts to provide a parent notice as described in §312.4(c), where such information is: (i) Used for the sole purpose of protecting the child's safety; (ii) Not used to recontact the child or for any other purpose; (iii) Not disclosed on the website or online service; and (5) Where the operator collects a child's name and online contact information and such information is not used for any other purpose, to the extent reasonably necessary: (i) To protect the security or integrity of its website or online service; (ii) To take precautions against liability; (iii) To respond to judicial process; or (iv) To the extent permitted under other provisions of law, to provide information to law enforcement agencies or for an investigation on a matter related to public safety. [64 FR 59911, Nov. 3, 1999, as amended at 67 FR 18821, Apr. 17, 2002; 70 FR 21106, Apr. 22, 2005] (a) Upon request of a parent whose child has provided personal information to a website or online service, the operator of that website or online service is required to provide to that parent the following: (1) A description of the specific types or categories of personal information collected from children by the operator, such as name, address, telephone number, e-mail address, hobbies, and extracurricular activities; (2) The opportunity at any time to refuse to permit the operator's further use or future online collection of personal information from that child, and to direct the operator to delete the child's personal information; and (3) Notwithstanding any other provision of law, a means of reviewing any personal information collected from the child. The means employed by the operator to carry out this provision must: (i) Ensure that the requestor is a parent of that child, taking into account available technology; and (ii) Not be unduly burdensome to the parent. (b) Neither an operator nor the operator's agent shall be held liable under any Federal or State law for any disclosure made in good faith and following reasonable procedures in responding to a request for disclosure of personal information under this section. (c) Subject to the limitations set forth in §312.7, an operator may terminate any service provided to a child whose parent has refused, under paragraph (a)(2) of this section, to permit the operator's further use or collection of personal information from his or her child or has directed the operator to delete the child's personal information. An operator is prohibited from conditioning a child's participation in a game, the offering of a prize, or another activity on the child's disclosing more personal information than is reasonably necessary to participate in such activity. The operator must establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children. Subject to sections 6503 and 6505 of the Children's Online Privacy Protection Act of 1998, a violation of a regulation prescribed under section 6502 (a) of this Act shall be treated as a violation of a rule defining an unfair or deceptive act or practice prescribed under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)). (a) In general. An operator will be deemed to be in compliance with the requirements of this part if that operator complies with self-regulatory guidelines, issued by representatives of the marketing or online industries, or by other persons, that, after notice and comment, are approved by the Commission. (b) Criteria for approval of self-regulatory guidelines. To be approved by the Commission, guidelines must include the following: (1) A requirement that operators subject to the guidelines (“subject operators”) implement substantially similar requirements that provide the same or greater protections for children as those contained in §§312.2 through 312.9; (2) An effective, mandatory mechanism for the independent assessment of subject operators' compliance with the guidelines. This performance standard may be satisfied by: (i) Periodic reviews of subject operators' information practices conducted on a random basis either by the industry group promulgating the guidelines or by an independent entity; (ii) Periodic reviews of all subject operators' information practices, conducted either by the industry group promulgating the guidelines or by an independent entity; (iii) Seeding of subject operators' databases, if accompanied by either paragraphs (b)(2)(i) or (b)(2)(ii) of this section; or (iv) Any other equally effective independent assessment mechanism; and (3) Effective incentives for subject operators' compliance with the guidelines. This performance standard may be satisfied by: (i) Mandatory, public reporting of disciplinary action taken against subject operators by the industry group promulgating the guidelines; (ii) Consumer redress; (iii) Voluntary payments to the United States Treasury in connection with an industry-directed program for violators of the guidelines; (iv) Referral to the Commission of operators who engage in a pattern or practice of violating the guidelines; or (v) Any other equally effective incentive. (4) The assessment mechanism required under paragraph (b)(2) of this section can be provided by an independent enforcement program, such as a seal program. In considering whether to initiate an investigation or to bring an enforcement action for violations of this part, and in considering appropriate remedies for such violations, the Commission will take into account whether an operator has been subject to self-regulatory guidelines approved under this section and whether the operator has taken remedial action pursuant to such guidelines, including but not limited to actions set forth in paragraphs (b)(3)(i) through (iii) of this section. (c) Request for Commission approval of self-regulatory guidelines. (1) To obtain Commission approval of self-regulatory guidelines, industry groups or other persons must file a request for such approval. A request shall be accompanied by the following: (i) A copy of the full text of the guidelines for which approval is sought and any accompanying commentary; (ii) A comparison of each provision of §§312.3 through 312.8 with the corresponding provisions of the guidelines; and (iii) A statement explaining: (A) How the guidelines, including the applicable assessment mechanism, meet the requirements of this part; and (B) How the assessment mechanism and compliance incentives required under paragraphs (b)(2) and (3) of this section provide effective enforcement of the requirements of this part. (2) The Commission shall act upon a request under this section within 180 days of the filing of such request and shall set forth its conclusions in writing. (3) Industry groups or other persons whose guidelines have been approved by the Commission must submit proposed changes in those guidelines for review and approval by the Commission in the manner required for initial approval of guidelines under paragraph (c)(1). The statement required under paragraph (c)(1)(iii) must describe how the proposed changes affect existing provisions of the guidelines. (d) Records. Industry groups or other persons who seek safe harbor treatment by compliance with guidelines that have been approved under this part shall maintain for a period not less than three years and upon request make available to the Commission for inspection and copying: (1) Consumer complaints alleging violations of the guidelines by subject operators; (2) Records of disciplinary actions taken against subject operators; and (3) Results of the independent assessments of subject operators' compliance required under paragraph (b)(2) of this section. (e) Revocation of approval. The Commission reserves the right to revoke any approval granted under this section if at any time it determines that the approved self-regulatory guidelines and their implementation do not, in fact, meet the requirements of this part. No later than April 21, 2005, the Commission shall initiate a rulemaking review proceeding to evaluate the implementation of this part, including the effect of the implementation of this part on practices relating to the collection and disclosure of information relating to children, children's ability to obtain access to information of their choice online, and on the availability of websites directed to children; and report to Congress on the results of this review. The provisions of this part are separate and severable from one another. If any provision is stayed or determined to be invalid, it is the Commission's intention that the remaining provisions shall continue in effect.
Title 16: Commercial Practices
PART 312—CHILDREN'S ONLINE PRIVACY PROTECTION RULE
Section Contents
§ 312.1 Scope of regulations in this part.
§ 312.2 Definitions.
§ 312.3 Regulation of unfair or deceptive acts or practices in connection with the collection, use, and/or disclosure of personal information from and about children on the Internet.
§ 312.4 Notice.
§ 312.5 Parental consent.
§ 312.6 Right of parent to review personal information provided by a child.
§ 312.7 Prohibition against conditioning a child's participation on collection of personal information.
§ 312.8 Confidentiality, security, and integrity of personal information collected from children.
§ 312.9 Enforcement.
§ 312.10 Safe harbors.
§ 312.11 Rulemaking review.
§ 312.12 Severability.
§ 312.1 Scope of regulations in this part.
top
§ 312.2 Definitions.
top
§ 312.3 Regulation of unfair or deceptive acts or practices in connection with the collection, use, and/or disclosure of personal information from and about children on the Internet.
top
§ 312.4 Notice.
top
§ 312.5 Parental consent.
top
§ 312.6 Right of parent to review personal information provided by a child.
top
§ 312.7 Prohibition against conditioning a child's participation on collection of personal information.
top
§ 312.8 Confidentiality, security, and integrity of personal information collected from children.
top
§ 312.9 Enforcement.
top
§ 312.10 Safe harbors.
top
§ 312.11 Rulemaking review.
top
§ 312.12 Severability.
top
